Stay secure and informed

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Microsoft Secure</title> <atom:link href="https://cloudblogs.microsoft.com/microsoftsecure/feed/" rel="self" type="application/rss+xml" /> <link>https://cloudblogs.microsoft.com/microsoftsecure</link> <description>In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance</description> <lastBuildDate>Thu, 09 Nov 2017 17:00:49 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <generator>https://wordpress.org/?v=4.8.3</generator> <item> <title>A decade inside Microsoft Security</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/11/09/a-decade-inside-microsoft-security/</link> <pubDate>Thu, 09 Nov 2017 17:00:49 +0000</pubDate> <dc:creator><![CDATA[Jenny Erie]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=74932</guid> <description><![CDATA[Ten years ago, I walked onto Microsofts Redmond campus to take a role on a team that partnered with governments and CERTs on cybersecurity. Id just left a meaningful career in US federal government service because I thought it would be fascinating to experience first-hand the security challenges and innovation from the perspective of the <p><a class="read-more" title="A decade inside Microsoft Security" aria-label="Read more about A decade inside Microsoft Security" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/11/09/a-decade-inside-microsoft-security/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><img class="alignleft wp-image-74935 size-medium" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/11/187202970-300x192.jpg" alt="" width="300" height="192" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/11/187202970-300x192.jpg 300w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/11/187202970-768x491.jpg 768w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/11/187202970-1024x654.jpg 1024w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/11/187202970-330x211.jpg 330w" sizes="(max-width: 300px) 100vw, 300px" /></p>&#10;<p>Ten years ago, I walked onto Microsofts Redmond campus to take a role on a team that partnered with governments and CERTs on cybersecurity. Id just left a meaningful career in US federal government service because I thought it would be fascinating to experience first-hand the security challenges and innovation from the perspective of the IT industry, especially within Microsoft, given its presence around the US federal government. I fully expected to spend a year or two in Microsoft and then resume my federal career with useful IT industry perspectives on security. Two days after I started, Popular Sciences annual Ten worst jobs in science <a href="http://www.popsci.com/scitech/article/2007-06/worst-jobs-science-2007">survey</a> came out, and I was surprised to see Microsoft Security Grunt in sixth place. Though the article was tongue-in-cheek, saluting those who take on tough challenges, the fact that we made this ignominious list certainly made me wonder if Id made a huge mistake.</p>&#10;<p>I spent much of my first few years hearing from government and enterprise executives that Microsoft was part of the security problem. Working with so many hard-working engineers, researchers, security architects, threat hunters, and developers trying to tackle these increasingly complex challenges, I disagreed. But, we all recognized that we needed to do more to defend the ecosystem, and to better articulate our efforts. Wed been investing in security well before 2007, notably with the Trustworthy Computing Initiative and Security Development Lifecycle, and we continue to <a href="https://blogs.microsoft.com/microsoftsecure/2017/03/27/giving-cisos-assurance-in-the-cloud/">invest heavily</a> in technologies and people &#8211; we now employ over 3,500 people in security across the company. I rarely hear anymore that we are perceived as a security liability, but our work isnt done. Ten years later, Im still here, busier than ever, delaying my long-expected return to federal service, helping enterprise CISOs secure their environments, their users, and their data.</p>&#10;<h2>Complexity vs. security</h2>&#10;<p>Is it possible, however, that our industrys investments in security have created another problem &#8211; that of complexity? Have we innovated our way into a more challenging situation? My fellow security advisors at Microsoft have shared customer frustrations over the growing security vendor presence in their environments. While these different technologies may solve specific requirements, in doing so, they create a management headache. Twice this week in Redmond, CISOs from large manufacturers challenged me to help them better understand security capabilities they already owned from Microsoft, but werent aware of. They sought to use this discovery process to identify opportunities to rationalize their security vendor presence. As one CISO said, Just help me simplify all of this.</p>&#10;<p>There is a large ecosystem of very capable and innovative professionals delivering solutions into a vibrant and crowded security marketplace. With all of this IP, how can we best help CISOs use important innovation while reducing complexity in their environments? And, can we help them maximize value from their investments without sacrificing security and performance?</p>&#10;<h2>Best-of-suite capabilities</h2>&#10;<p>Large enterprises may employ up to 100 vendors technologies to handle different security functions. Different vendors may handle identity and access management, data loss prevention, key management, service management, cloud application security, and so on. Many companies are now turning to machine learning and user behavior technologies. Many claim best of breed or best in class, capabilities and there is impressive innovation in the marketplace. Recognizing this, we have made acquisition a part of Microsofts security strategy &#8211; since 2013 weve acquired companies like Aorato, Secure Islands, Adallom, and most recently <a href="https://news.microsoft.com/2017/06/08/microsoft-signs-agreement-to-acquire-hexadite/#d7J332lOju7Bzups.97">Hexadite</a>.</p>&#10;<p>Microsofts experience as a large global enterprise is similar to our enterprise customers. Weve been working to rationalize the 100+ different security providers in our infrastructure to help us better manage our external dependencies and more efficiently manage budgets. Weve been moving toward a default policy of Microsoft first security technology where possible in our environment. Doing so helps us standardize on newer and familiar technologies that complement each other.</p>&#10;<p>That said, whether we build or buy, our focus is to deliver an overall best in suite approach to help customers deploy, maintain, monitor, and protect our enterprise products and services as securely as possible. We are investing heavily in the <a href="https://www.microsoft.com/en-us/security/intelligence">Intelligent Security Graph</a>. It leverages our vast security intelligence, connects and correlates information, and uses advanced analytics to help detect and respond to threats faster. If you are already working with Microsoft to advance your productivity and collaboration needs by deploying Windows 10, Office 365, Azure, or other core enterprise services, you should make better use of these investments and reduce dependency on third-party solutions by taking advantage of built-in monitoring and detection capabilities in these solutions. A best-of-suite approach also lowers the costs and complexity of administering a security program, e.g. making vendor assessments and procurement easier, reducing training and learning curves, and standardizing on common dashboards.</p>&#10;<p>Reducing complexity also requires that we make our security technologies easy to acquire and use. Here are some interesting examples of how our various offerings connect to each other and have built-in capabilities:</p>&#10;<ul>&#10;<li>The <a href="https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp">Windows Defender Advanced Threat Protection</a>(ATP) offer seamlessly integrates with O365 ATP to provide more visibility into adversary activity against devices and mailboxes, and to give your security teams more control over these resources. <a href="https://www.youtube.com/watch?v=HkQZR9RBbPE&amp;feature=youtu.be">Watch this great video to learn more about the services integration</a>. Windows Defender ATP monitors behaviors on a device and sends alerts on suspicious activities. The console provides your security team with the ability to perform one-click actions such as isolating a machine, collecting a forensics package, and stopping and quarantining files. You can then track the kill chain into your O365 environment if a suspicious file on the device arrived via email. Once in O365 ATP, you can quarantine the email, detonate a potentially malicious payload, block the traffic from your environment, and identify other users who may have been targeted.</li>&#10;<li><a href="https://www.microsoft.com/en-us/cloud-platform/azure-information-protection">Azure Information Protection</a> provides built-in capabilities to classify and label data, apply rights-management protections (that follows the data object) and gives data owners and admins visibility into, and control over, where that data goes and whether recipients attempt to violate policy.</li>&#10;</ul>&#10;<p>Thousands of companies around the world are innovating, competing, and partnering to defeat adversaries and to secure the computing ecosystem. No single company can do it all. But by making it as convenient as possible for you to acquire and deploy technologies that integrate, communicate and complement each other, we believe we can offer a best-of-suite benefit to help secure users, devices, apps, data, and infrastructure. Visit <a href="https://www.microsoft.com/secure">https://www.microsoft.com/secure</a> to learn about our solutions and reach out to your local Microsoft representative to learn more about compelling security technologies that you may already own. For additional information, and to stay on top of our investments in security, bookmark this Microsoft Secure blog.</p>&#10;<hr />&#10;<p><em><a href="https://www.linkedin.com/public-profile/settings?trk=d_flagship3_profile_self_view_public_profile">Mark McIntyre, CISSP</a>, is an Executive Security Advisor (ESA) in the Microsoft Enterprise and Cybersecurity Group. Mark works with global public sector and commercial enterprises, helping them transform their businesses while protecting data and assets by moving securely to the Cloud. As an ESA, Mark supports CISOs and their teams with cybersecurity reviews and planning. He also helps them understand Microsofts perspectives on the evolving cyber threat landscape and how Microsoft defends its enterprise, employees and users around the world.</em></p>&#10;]]></content:encoded> </item> <item> <title>Defending against ransomware using system design</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/defending-against-ransomware-using-system-design/</link> <pubDate>Mon, 06 Nov 2017 17:00:56 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=74899</guid> <description><![CDATA[This post is authored by Michael Melone, Principal Cybersecurity Consultant, Enterprise Cybersecurity Group. Earlier this year, the world experienced a new and highly-destructive type of ransomware. The novel aspects of WannaCry and Petya were not skills as ransomware, but the combination of commonplace ransomware tactics paired with worm capability to improve propagation. WannaCry achieved its <p><a class="read-more" title="Defending against ransomware using system design" aria-label="Read more about Defending against ransomware using system design" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/defending-against-ransomware-using-system-design/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><em>This post is authored by Michael Melone, Principal Cybersecurity Consultant, Enterprise Cybersecurity Group.</em></p>&#10;<p>Earlier this year, the world experienced a new and highly-destructive <a href="https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/">type of ransomware</a>. The novel aspects of WannaCry and Petya were not skills as ransomware, but the combination of commonplace <a href="https://www.microsoft.com/en-us/wdsi/threats/ransomware">ransomware</a> tactics paired with worm capability to improve propagation.</p>&#10;<p><a href="https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/">WannaCry</a> achieved its saturation primarily through exploiting a discovered and patched vulnerability in a common Windows service. The vulnerability (<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">MS17-010</a>) impacted the Windows Server service which enables communication between computers using the SMB protocol. Machines infected by WannaCry propagate by connecting to a nearby unpatched machine, performing the exploit, and executing the malware. Execution of the exploit did not require authentication, thus enabling infection of any unpatched machine.</p>&#10;<p><a href="https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/">Petya</a> took this worming functionality one step further and additionally introduced credential theft and impersonation as a form of worming capability. These techniques target single sign-on technologies, such as traditional domain membership. This added capability specifically targeted enterprise environments and enabled the malware to use a single unpatched endpoint to springboard into the network, then used active sessions on the machine to infect other machines regardless of patch level. To an enterprise, a single unpatched endpoint paired with poor credential hygiene could be used to enable propagation throughout the enterprise.</p>&#10;<p>Most impersonation and credential theft attacks are possible only when malware obtains local administrator or equivalent authorization to the operating system. For Petya, this would mean successful exploitation of MS17-010, or running under the context of a user with local administrator authorization.</p>&#10;<h3>Measuring the value of a user account</h3>&#10;<p>To a hacker, an infected or stolen identity is measurable in two ways: the breadth of computers that trust and grant authorization to the account and the level of authorization granted upon successful authentication. Since encryption can be performed by any user account, ransomware benefits most when it infects an account which can convey write authorization to a large amount of data.</p>&#10;<p>In most cases (thus far), the data sought out by ransomware has been either local files or those accessible over a network attached share data which can be accessed by the malware using out-of-the-box operating system interfaces. As such, data encrypted by most ransomware includes files in the users profile, home directory, or on shared directories where the user has access and write authorization.</p>&#10;<p>In the case of WannaCry, the identity used by the ransomware was SYSTEM an effectively unrestricted account from an authorization perspective. Running as SYSTEM, WannaCry had authorization to encrypt any file on the infected machine.</p>&#10;<p>Petyas encryption mechanism <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/">required the ability to overwrite the boot sector</a> of the hard drive to invoke its encryption mechanism. The malware then creates a scheduled task to restart the machine at least 10 minutes later to perform the encryption. The offline encryption mechanism prevented destruction of network files by Petya.</p>&#10;<h3>Infected machines and worms</h3>&#10;<p>Pivoting our focus to the worm aspect of these ransomware variants, the value of an infected host to a hacker is measurable in two ways: the quantity of newly accessible targets resulting from infection and the data which now becomes available because of the infection. Malware with worming capability focuses on widespread propagation, thus machines which can access new targets are highly valuable.</p>&#10;<p>To both WannaCry and Petya, a newly infected system offered a means to access previously inaccessible machines. For WannaCry, any potential new targets needed to be vulnerable to MS17-010. Vulnerability gave both malware variants SYSTEM-level authority, thus enabling successful execution of their payload.</p>&#10;<p>Additionally, in the case of Petya, any machine having reusable credentials in memory furthered its ability to propagate. Petya searches for active sessions on an infected machine and tries to use the session to infect machines which may not have been vulnerable to MS17-010. As a result, a single vulnerable endpoint may expose a reusable administrative credential usable to infect potential targets which grant that credential a necessary level of authorization.</p>&#10;<h3>Codifying the vulnerability</h3>&#10;<p>To defend against a ransomware application with worm capability we need to target the following areas:</p>&#10;<ul>&#10;<li>Ransomware&#10;<ul>&#10;<li>Reduce the authorization level of users relative to the operating system of an infected machine</li>&#10;<li>Perform backups or versioning of files to prevent loss of data due to encryption, deletion, or corruption</li>&#10;<li>Limit authorization to delete or tamper with the data backups</li>&#10;</ul>&#10;</li>&#10;<li>Worms&#10;<ul>&#10;<li>Reduce the ability for an infected host to access a potential infection target</li>&#10;<li>Reduce the number of remotely exploitable vulnerabilities that provide remote code execution</li>&#10;<li>Reduce exposure of reusable credentials relative to the likelihood of a host to compromise</li>&#10;</ul>&#10;</li>&#10;</ul>&#10;<h2>Resolving Concerns through design</h2>&#10;<p>Many of the risks associated with ransomware and worm malware can be alleviated through systems design. Referring to our now codified list of vulnerabilities, we know that our solution must:</p>&#10;<ul>&#10;<li>Limit the number (and value) of potential targets that an infected machine can contact</li>&#10;<li>Limit exposure of reusable credentials that grant administrative authorization to potential victim machines</li>&#10;<li>Prevent infected identities from damaging or destroying data</li>&#10;<li>Limit unnecessary risk exposure to servers housing data</li>&#10;</ul>&#10;<h3>Windows 10, BYOD, and Azure AD Join</h3>&#10;<p>Windows 10 offers a new management model that differs significantly from traditional domain joined machines. Azure Active Directory joined machines can still convey identity to organizational resources; however, the machine itself does not trust domain credentials. This design prevents reusable accounts from exposure to workstations, thus protecting the confidentiality of the credential. Additionally, this limits the impact of a compromised domain account since Azure AD joined machines will not trust the identity.</p>&#10;<p>Another benefit of Windows 10 with Azure AD is the ability to move workstations outside of the firewall, thus reducing the number of potential targets once infection occurs. Moving endpoints outside the firewall reduces the impact of any workstation threat by reducing the benefits normally gained by compromising a machine within the corporate firewall. As a result, this design exposes fewer server ports to potentially compromised endpoints, thus limiting the attack surface and reducing the likelihood of worm propagation.</p>&#10;<p>Moving workstations outside of the firewall offers added security for the workstation as well. Migrating to a BYOD architecture can enable a more stringent client firewall policy, which in turn reduces the number of services exposed to other hosts, and thus improves the machines defense against worms and other inbound attacks.</p>&#10;<p>Additionally, most organizations use many laptops which often connect from untrusted locations outside the firewall. While outside of the firewall, these machines can connect to untrusted sources, become infected, then bring the infection inside the firewall next time it is able to connect to the internal network. This causes confusion when trying to identify the initial infection during an incident response, and potentially exposes the internal network to unnecessary risk.</p>&#10;<h3>Consider migration file shares to OneDrive or Office365</h3>&#10;<p>Migrating data from traditional file shares into a solution such as SharePoint or OneDrive can limit the impact of a ransomware attack. Data stored in these technologies can enforce version control, thus potentially simplifying recovery. To further protect this data, limit the number of SharePoint users who had administrative authority to the site to prevent emptying of the recycle bin.</p>&#10;<h3>Ensure resilient backups</h3>&#10;<p>When an attack occurs, it is crucial to <a href="https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/">ensure ransomware cannot destroy data backups</a>. Although convenient, online data backups may be subject to destruction during an attack. Depending on design, an online backup solution may trust a stolen reusable single sign-on credential to enable deletion or encryption of backup data. If this occurs, backups may be rendered unusable during the attack.</p>&#10;<p>To prevent against this, consider Azure Cloud Backup a secure off-site backup solution. Azure Cloud Backup is managed through the Azure Portal which can be configured to require separate authentication, to include multi-factor authentication. Volumes used to store backup data reside in Azure and cannot be initialized or overwritten using on-premises domain credentials.</p>&#10;<h2>Closing</h2>&#10;<p>Windows 10 and BYOD architecture offers significant defense against a variety of cyberattacks, to include worms and ransomware. This article covers only some of the protections that Windows 10 offers against credential theft, bootkits, rootkits, and other malware techniques employed by this class of highly destructive malware.</p>&#10;<p>To better defend your organization against future malware outbreaks:</p>&#10;<ul>&#10;<li>Prepare to migrate client machines to <a href="https://docs.microsoft.com/en-us/windows/deployment/planning/">Windows 10</a></li>&#10;<li>Plan for BYOD device management using <a href="https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management">Microsoft Intune</a> and <a href="https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction">Azure AD joined machines</a></li>&#10;<li>Implement <a href="https://docs.microsoft.com/en-us/azure/backup/backup-azure-microsoft-azure-backup">Azure Backup</a> to provide a resilient and malware-resistant backup solution</li>&#10;<li>Learn how <a href="https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection">Windows Defender Advanced Threat Protection (ATP)</a> can help your organization quickly detect and respond to malware outbreaks</li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Learn from leading cybersecurity experts</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/26/learn-from-leading-cybersecurity-experts/</link> <pubDate>Thu, 26 Oct 2017 16:00:28 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=74758</guid> <description><![CDATA[More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, <p><a class="read-more" title="Learn from leading cybersecurity experts" aria-label="Read more about Learn from leading cybersecurity experts" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/26/learn-from-leading-cybersecurity-experts/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><img class="alignleft wp-image-74761 size-medium" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-300x300.jpg" alt="" width="300" height="300" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-300x300.jpg 300w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-150x150.jpg 150w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-768x768.jpg 768w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-1024x1024.jpg 1024w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-250x250.jpg 250w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-330x330.jpg 330w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-32x32.jpg 32w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-50x50.jpg 50w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-64x64.jpg 64w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-96x96.jpg 96w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01-128x128.jpg 128w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Image_MWepisode_Hero_Logo_White327x327-01.jpg 1363w" sizes="(max-width: 300px) 100vw, 300px" />More than 170K technology and business leaders from across the world depend on Microsofts Modern Workplace monthly webcast to shed new light on business challenges related to technology. Over the past four years, Modern Workplace has had the worlds leading experts share their advice on technology topics, such as security, including CISOs, Chief Privacy Officers, Cyber Intelligence Advisors, and Chief Digital Officers. Just in the past year, Modern Workplace security episodes included:</p>&#10;<ul>&#10;<li><a href="https://resources.office.com/ww-landing-modern-workplace-ep307.html">Cyber Intelligence: The Human Element</a> (covering Identity and Access Management)</li>&#10;<li><a href="https://resources.office.com/modern-workplace-webinar-registration-306.html">Cyber Intelligence: Help Prevent a Breach</a> (covering Threat Protection)</li>&#10;<li><a href="https://resources.office.com/modern-workplace-webinar-registration-302.html">The Privacy Balance: Staying Secure and Ethical with Your Data</a> (covering Information Protection)</li>&#10;<li><a href="https://resources.office.com/modern-workplace-webinar-registration-301.html">Data Defense: An Inside Look at Your Secure Cloud</a> (covers Security Management)</li>&#10;</ul>&#10;<p>These episodes include more than just security checklists and basicsthey go into depth around the decisions business leaders are faced with every day. In the episode on data privacy, Hillery Nye, Chief Privacy Officer at Glympse, explained how the startup company made a very conscious decision to not collect data that it could have easily gathered from its real-time location sharing app. The company collects customer data and uses it for very specific purposes, but it never stores or sells that data. The company may have given up some opportunities to monetize its customer data, but Nye feels that the company gains even more by being a responsible corporate citizen and establishing a reputation for privacy. She discussed how a companys brand is affected by its privacy policies, and how businesses can better align their privacy policies with business strategy for long term success.</p>&#10;<p>The Modern Workplace series has been nominated for four regional Emmy awards because of its creative presentation of diverse perspectives and insights. To learn more about how technology can help drive your business, check out the <a href="https://products.office.com/en-US/business/modern-workplace">Modern Workplace episodes</a> on-demand today!</p>&#10;]]></content:encoded> </item> <item> <title>A 4-point action plan for proactive security</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/24/a-4-point-action-plan-for-proactive-security/</link> <pubDate>Tue, 24 Oct 2017 15:00:05 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=74746</guid> <description><![CDATA[It can be difficult these days to make sense of all the potential ways you could step up your security. But with automated attacks moving faster and faster, many organizations are feeling a real need to change their approach and get more proactive about security. Should you focus on endpoint detection and response (EDR)? <p><a class="read-more" title="A 4-point action plan for proactive security" aria-label="Read more about A 4-point action plan for proactive security" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/24/a-4-point-action-plan-for-proactive-security/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><img class="size-full wp-image-74749 alignleft" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/EMS-Hybrid-Cloud_Webinars_square1.png" alt="" width="300" height="220" /></p>&#10;<p>It can be difficult these days to make sense of all the potential ways you could step up your security. But with automated attacks moving faster and faster, many organizations are feeling a real need to change their approach and get more proactive about security.</p>&#10;<p>Should you focus on endpoint detection and response (EDR)? Should you deploy multi-factor authentication (MFA) to control access to all your corporate resources? Or do you need to control your cloud apps and infrastructure more closely with a cloud access security broker (CASB)? Should your first step be deploying data loss prevention (DLP)?</p>&#10;<p>If youre feeling a little confused about where to start, join us for our webinar: <a href="https://info.microsoft.com/Your4PointActionPlanForProactiveSecurity-Registration.html">A 4-point action plan for proactive security</a>. Well share how Microsoft approaches security and how you can cut through all the confusion to prioritize a few projects that will have real impact on your level of protection.</p>&#10;]]></content:encoded> </item> <item> <title>SSN for authentication is all wrong</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/ssn-for-authentication-is-all-wrong/</link> <pubDate>Mon, 23 Oct 2017 19:00:38 +0000</pubDate> <dc:creator><![CDATA[Jenny Erie]]></dc:creator> <category><![CDATA[Cybersecurity]]></category> <category><![CDATA[Data Privacy]]></category> <category><![CDATA[Tips & Talk]]></category> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=74725</guid> <description><![CDATA[Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, <p><a class="read-more" title="SSN for authentication is all wrong" aria-label="Read more about SSN for authentication is all wrong" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/ssn-for-authentication-is-all-wrong/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p>Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive <a href="https://www.cnbc.com/2017/09/26/equifax-ceo-retires-following-an-epic-data-breach-affecting-143-million-people.html">Equifax breach and the head-rolling fallout</a>. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.</p>&#10;<p>Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.</p>&#10;<p>The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.</p>&#10;<p>The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.</p>&#10;<h2>Who are you? Prove it!</h2>&#10;<p>This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.</p>&#10;<p>Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.</p>&#10;<p>We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?</p>&#10;<p>Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:</p>&#10;<ul>&#10;<li>Public</li>&#10;<li>Unchanging</li>&#10;<li>Unique</li>&#10;</ul>&#10;<p>In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!</p>&#10;<p>We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.</p>&#10;<p>If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?</p>&#10;<p>So, with that in mind, youd probably agree that the best digital verifiers are:</p>&#10;<ul>&#10;<li>Private</li>&#10;<li>Easily changed</li>&#10;<li>Unique</li>&#10;</ul>&#10;<h2>Your turn</h2>&#10;<p>OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think &#8211; Is your SSN a better identifier or verifier?</p>&#10;]]></content:encoded> </item> <item> <title>Event recap: Security at Microsoft Ignite</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/18/event-recap-security-at-microsoft-ignite/</link> <pubDate>Wed, 18 Oct 2017 18:00:39 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=70570</guid> <description><![CDATA[Microsoft Ignite recently gathered 24,000+ attendees from around the world in Orlando, FL. CEO Satya Nadella kicked off an exciting week with his Vision Keynote by articulating how we enable digital transformation, specifically through empowering employees, engaging customers, optimizing operations, and finally through transforming products. Commitment to security, privacy, and transparency At the event, Microsoft <p><a class="read-more" title="Event recap: Security at Microsoft Ignite" aria-label="Read more about Event recap: Security at Microsoft Ignite" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/18/event-recap-security-at-microsoft-ignite/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><img class="size-full wp-image-70594 alignleft" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/3-10_MSCOM_Ignite_About_Future_Expo_358x201.jpg" alt="" width="358" height="201" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/3-10_MSCOM_Ignite_About_Future_Expo_358x201.jpg 358w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/3-10_MSCOM_Ignite_About_Future_Expo_358x201-300x168.jpg 300w" sizes="(max-width: 358px) 100vw, 358px" /></p>&#10;<p>Microsoft Ignite recently gathered 24,000+ attendees from around the world in Orlando, FL. CEO Satya Nadella kicked off an exciting week with his <a href="https://myignite.microsoft.com/sessions/59125?source=sessions">Vision Keynote</a> by articulating how we enable digital transformation, specifically through empowering employees, engaging customers, optimizing operations, and finally through transforming products.</p>&#10;<h2>Commitment to security, privacy, and transparency</h2>&#10;<p>At the event, Microsoft reaffirmed its commitment to security, privacy, and transparency to its customers and partners through all the four main solution areas: Modern Workplace, Business Applications, Applications &amp; Infrastructure, and Data &amp; Artificial Intelligence. Julia White explained Microsofts approach to security during her session, <a href="https://myignite.microsoft.com/sessions/56550?source=sessions">Microsoft 365: Step up your protection with intelligent security</a>.</p>&#10;<h2>Learnings from our customers and partners</h2>&#10;<p>During the event, the Microsoft team had the privilege to engage in 410,000 unique interactions within the Expo. In addition, 8,000+ labs were consumed, 54 sessions, two general sessions, 40 breakout sessions across CE, Windows and Office 365 tracks and 12 theater sessions. Our top three security takeaways were:</p>&#10;<ol>&#10;<li>Build awareness of Microsofts commitment to security and privacy</li>&#10;<li>Early and frequent product updates communications</li>&#10;<li>Transparency from Microsoft equates to trust from customers</li>&#10;</ol>&#10;<h2>Key security related sessions to check out</h2>&#10;<p>Key security sessions we recommend you check out are based entirely upon feedback from our customers and partners who attended the sessions. Please take a moment to watch them and learn about new ways you can improve the security posture of your organization.</p>&#10;<ul>&#10;<li><a href="https://myignite.microsoft.com/sessions/53404?source=sessions">Shut the door to cybercrime with Azure Active Directory risk-based identity protection</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53405?source=sessions">Productivity and protection for your employees, partners, and customers with Azure Active Directory</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53402?source=sessions">Deep-dive: Azure Active Directory Authentication and Single-Sign-On</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53401?source=sessions">Azure Active Directory best practices from around the world</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53379?source=sessions">Learn how to use Microsoft Intune with the new admin console and Microsoft Graph API</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53454?source=sessions">Accelerate Azure information protection deployment and adoption</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53476?source=sessions">Learn about Microsoft Advanced Threat Analytics Futures</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53397?source=sessions">Saying goodbye to passwords</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53810?source=sessions">How to get Office 365 to the next level with Azure Active Directory Premium</a></li>&#10;<li><a href="https://myignite.microsoft.com/sessions/53821?source=sessions">Whats new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications</a></li>&#10;</ul>&#10;<h2>On demand access to content</h2>&#10;<p>All breakout sessions and general sessions were recorded for on demand viewing. These recordings are now available at <a href="https://myignite.microsoft.com/videos">Microsoft Ignite on demand sessions</a>. Please continue to share this link with your customers and partners. Labs will be available for 6 months through <a href="https://myignite.microsoft.com/sessions?q=security">MyIgnite</a>.</p>&#10;<h2>Conclusion</h2>&#10;<p>Microsoft Ignite was a fantastic week for all who attended. We not only shared product visions, but also, we listened and learned from engagements with customers and partners. With continued advances in our security offerings and development in better ways for partners to build a more modern, collaborative and secure work environment, it will be an exciting year for Security.</p>&#10;]]></content:encoded> </item> <item> <title>Cybersecurity in a modern age</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/17/cybersecurity-in-a-modern-age/</link> <pubDate>Tue, 17 Oct 2017 16:00:14 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=70528</guid> <description><![CDATA[By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. As digital transformation sweeps the globe, the imminent threat of cybercrime grows alongside it. As a result, new techniques in cybersecurity must be developed at a growing rate to keep pace. Digital-first is the new business frontier, and <p><a class="read-more" title="Cybersecurity in a modern age" aria-label="Read more about Cybersecurity in a modern age" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/17/cybersecurity-in-a-modern-age/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><img class="size-full wp-image-70540 aligncenter" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/17349_MSFT_SecurityRoadShowSeriesBlogs_SecureBlog_960x300_R1_V2.jpg" alt="" width="960" height="300" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/17349_MSFT_SecurityRoadShowSeriesBlogs_SecureBlog_960x300_R1_V2.jpg 960w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/17349_MSFT_SecurityRoadShowSeriesBlogs_SecureBlog_960x300_R1_V2-300x94.jpg 300w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/17349_MSFT_SecurityRoadShowSeriesBlogs_SecureBlog_960x300_R1_V2-768x240.jpg 768w" sizes="(max-width: 960px) 100vw, 960px" /></p>&#10;<p>By 2021, worldwide cybercrime damage is expected to reach $6 trillion<a href="http://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/">double what it cost businesses in 2015</a>. As digital transformation sweeps the globe, the imminent threat of cybercrime grows alongside it. As a result, new techniques in cybersecurity must be developed at a growing rate to keep pace.</p>&#10;<p>Digital-first is the new business frontier, and if we want to keep this landscape a safe space to store and share information, we must be able to quickly identify opportunities to bolster security and adapt to evolving threats. Microsofts cloud technology offers organizations the tools to advance security, enhance government compliance, improve security education, and enable industry collaboration to shut down new threats. Microsoft is creating a new path toward digital transformation in a secure space.</p>&#10;<p>Through cloud technologies, IT professionals now have advanced tools at their fingertips that provide real-time visibility into cybersecurity and the ability to proactively thwart threats before they become an issue. As more organizations move to the cloud, management of security risks can occur in real time. This real-time action on cyber threats helps create cost efficiency, and allows for frequent and seamless updates without reconfiguration, giving IT leaders the upper hand in staying compliant with regulatory guidelines.</p>&#10;<p>With cloud-based technology come real solutions in data loss prevention. IT professionals are using the cloud to secure employee data in new and highly effective ways. Through improved cloud encryption capabilities, organizations can better help protect sensitive information in motion and at rest. Even if cybercriminals are able to breach your network and bypass the first lines of cyber defense, <a href="https://www.microsoft.com/en-us/trustcenter/security/encryption">encryption helps keep organizational data from falling into unauthorized hands</a>. Additionally, advanced measures like multi-factor authentication (MFA) and Single Sign-On (SSO) provide additional layers of security by ensuring only those with the proper credentials are able to gain access to information and company platforms. These solutions and innovations in tech security are just the beginning.</p>&#10;<p>With the advent of new technology and the digitization of how IT experts and professionals communicate, a quicker dissemination of knowledge can occur in a collaborative space. Experts can share and explore new ideas and concepts to quickly improve upon cloud technology and how to best address security concerns. By partnering up, industries are able to break new ground on how to secure information, share information, and revolutionize the way government, private enterprise, education systems, and average people navigate a digitally transforming world.</p>&#10;<p>Ready to discover how Microsoft technology is transforming security for a digital-first, cloud-first world, and participate in interactive sessions led by subject matter experts? Microsoft is hosting a series of Security Forums in cities across the United States to demonstrate how organizations can use the latest technology to update and improve their cybersecurity efforts. We invite you to join your fellow IT professionals alongside Microsoft experts to discuss new ways to address evolving cyber threats. Find out how your business can use the power of the cloud to boost security, and get a firsthand look at what Microsoft has to offer.</p>&#10;<p>For more information, including locations near you and a full event calendar, visit the <a href="https://www.microsoftevents.com/profile/web/index.cfm?PKwebID=0x5342431576&amp;wt.mc_id=AID641621_QSG_BLOG_178512">Microsoft Security Forum events page</a>. Dont delay, as seats are limited. <a href="https://www.microsoftevents.com/profile/web/index.cfm?PKwebID=0x5342431576&amp;wt.mc_id=AID641621_QSG_BLOG_178512">Register now</a> to save your spot!</p>&#10;]]></content:encoded> </item> <item> <title>Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/16/microsoft-and-progeny-systems-enhance-security-for-mobile-applications-across-u-s-government/</link> <pubDate>Mon, 16 Oct 2017 15:00:49 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=70549</guid> <description><![CDATA[In our mobile-first, cloud-first world, security is paramount for organizations of any size. It is especially critical to applications used across the U.S. Government, which is why we are working with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems to enhance mobile application security. In support of the broader federal <p><a class="read-more" title="Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government" aria-label="Read more about Microsoft and Progeny Systems enhance security for mobile applications across U.S. Government" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/16/microsoft-and-progeny-systems-enhance-security-for-mobile-applications-across-u-s-government/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p>In our mobile-first, cloud-first world, security is paramount for organizations of any size. It is especially critical to applications used across the U.S. Government, which is why we are working with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems to enhance mobile application security.</p>&#10;<p>In support of the broader federal initiative to enable <a href="https://www.gsa.gov/technology/government-it-initiatives/digital-strategy">access to quality digital government information and services anywhere, anytime, on any device</a>, Progeny will build a mobile application development security framework for iOS, Android and Windows apps that will be used across several US Government agencies, both for public facing and internal enterprise use cases. This framework will broadly enable developers across the United States Government to focus on building mobile apps that provide business value, with the confidence that security is built in.</p>&#10;<p>The cross-platform, native approach using Visual Studio, the open-source .NET framework, and Xamarin platform will enable developers to build higher quality apps that are fully compliant with the National Information Assurance Partnership (NIAP) mobile app vetting standards, the National Institutes of Standards and Technology (NIST) 800-163 guidance and the Department of Homeland Securitys Mobile Application Playbook. Utilizing Microsofts <a href="https://www.gartner.com/doc/reprints?id=1-42YW0M8&amp;ct=170613&amp;st=sb">leading mobile application development tools</a>, the framework will support mobile apps built to run on-premise and on any cloud platform, including government-only clouds such as <a href="https://azure.microsoft.com/en-us/overview/clouds/government/">Azure Government</a>, which meet critical government regulatory compliance requirements.</p>&#10;<blockquote><p>Id like to congratulate the Department of Homeland Security Science and Technology Directorate for their commitment to addressing the mandates of both security and mobility for their stakeholders, said Greg Myers, Microsoft Vice President of Federal. We look forward to partnering with DHS and ultimately, by bringing mobile, secure, and compliant technology solutions helping them fulfil their critical mission.</p></blockquote>&#10;<p>Microsofts latest award from the DHS comes on the heels of several related <a href="https://azure.microsoft.com/en-us/blog/microsoft-azure-reaches-new-industry-leading-cloud-compliance-milestones/">public sector certifications</a> and <a href="https://azure.microsoft.com/en-us/blog/azure-brings-big-data-analytics-and-visualization-capabilities-to-u-s-government/">big data and analytics</a> enhancements to our leading mobile apps and security. It also builds on our current work with the <a href="https://blogs.msdn.microsoft.com/azuregov/2017/03/15/veterans-affairs-issues-fedramp-high-ato-for-microsoft-azure-government1/">Department of Veterans Affairs</a> and Applied Research Associates, whose Instant Notification System enables the U.S. governments <a href="http://resources.xamarin.com/rs/xamarin/images/Xamarin-Case-Study-Applied-Research.pdf">Combating Terrorism and Threat Support Offices Tactical Support Working Group (TSWG)</a> to quickly and effectively notify team members about suspicious packages or events over commercially available networks.</p>&#10;<p>You can read more about our mobile application security work with the Department of Homeland Security (DHS) Science and Technology Directorate and Progeny Systems in their <a href="https://www.dhs.gov/science-and-technology/news/2017/10/11/news-release-st-awards-750k-manassas-va-based-tech-firm">news release</a>. For details on Microsofts leadership in mobile application development, visit <a href="https://www.gartner.com/doc/reprints?id=1-42YW0M8&amp;ct=170613&amp;st=sb">Gartners Magic Quadrant report</a>.</p>&#10;]]></content:encoded> </item> <item> <title>Easily create securely configured virtual machines</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/12/easily-create-securely-configured-virtual-machines/</link> <pubDate>Thu, 12 Oct 2017 15:00:40 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Featured]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=70513</guid> <description><![CDATA[While a securely configured operating system is essential to repelling todays cyber attacks, the base images provided by vendors do not come pre-hardened and require significant research, expertise, and proper configuration by the customer. To make it easier for Microsoft customers to deploy secured virtual machines out of the box, I am excited to share <p><a class="read-more" title="Easily create securely configured virtual machines" aria-label="Read more about Easily create securely configured virtual machines" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/12/easily-create-securely-configured-virtual-machines/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p>While a securely configured operating system is essential to repelling todays cyber attacks, the base images provided by vendors do not come pre-hardened and require significant research, expertise, and proper configuration by the customer. To make it easier for Microsoft customers to deploy secured virtual machines out of the box, I am excited to share the recent availability for purchase of hardened virtual machine images within Azure, based on the partnership between Microsoft and the <a href="https://www.cisecurity.org/">Center for Internet Security</a>(CIS). CIS is a non-profit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks. Hardened images are virtual machine images that have been hardened, or configured, to be more resilient to cyber attacks. These images are available in the <a href="https://azuremarketplace.microsoft.com/">Azure Marketplace</a> and can be used by Azure customers to create new, securely configured virtual machines.</p>&#10;<p>Establishing and maintaining the secure configuration of an entitys IT infrastructure continues to be a core tenet of information security. History has shown that the misconfiguration or poor configuration of laptops, servers, and network devices is a common cause of data breaches. Global standards, governments, and regulatory bodies have also highlighted the importance of establishing and maintaining secure configurations, and in many cases, have mandated their use due to their effectiveness. I have included a few of the most relevant and wide-ranging examples in the table below.</p>&#10;<table style="height: 226px" width="980">&#10;<tbody>&#10;<tr>&#10;<td width="208"><strong>Source</strong></td>&#10;<td width="236"><strong>Control</strong></td>&#10;<td width="180"><strong>Reference</strong></td>&#10;</tr>&#10;<tr>&#10;<td width="208">Center for Internet Security Critical Security Controls</td>&#10;<td width="236">CIS Control 3 Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers</td>&#10;<td width="180"><a href="https://www.cisecurity.org/controls/secure-configurations-for-hardware-and-software/">https://www.cisecurity.org/controls/secure-configurations-for-hardware-and-software/</a></td>&#10;</tr>&#10;<tr>&#10;<td width="208">Australian Signals Directorate Strategies to Mitigate Cyber Security Incidents</td>&#10;<td width="236">User Application Hardening<br />&#10;Server Application Hardening<br />&#10;Operating System Hardening</td>&#10;<td width="180"><a href="https://www.asd.gov.au/infosec/mitigationstrategies.htm">https://www.asd.gov.au/infosec/mitigationstrategies.htm</a></td>&#10;</tr>&#10;<tr>&#10;<td width="208">US NIST Cyber Framework</td>&#10;<td width="236">PR.IP-1: A baseline configuration of information technology/ industrial control systems is created and maintained</td>&#10;<td width="180"><a href="https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf">https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf</a></td>&#10;</tr>&#10;<tr>&#10;<td width="208">Payment Card Industry</td>&#10;<td width="236">Build and maintain a secure network and systems</td>&#10;<td width="180"><a href="https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf?agreement=true&amp;time=1505339723255">https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf?agreement=true&amp;time=1505339723255</a></td>&#10;</tr>&#10;</tbody>&#10;</table>&#10;<h2>Accessing and Deploying CIS Hardened Images</h2>&#10;<p>To view the CIS hardened images, login to the Azure portal and navigate to the Marketplace. You can then search for and filter on the Center for Internet Security. As you can see below, there are hardened images for many of the common operating systems, including Windows Server 2012, Oracle Linux, and Windows Server 2016.</p>&#10;<p><img class="size-large wp-image-70516 aligncenter" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_1-1024x700.png" alt="" width="1024" height="700" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_1-1024x700.png 1024w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_1-300x205.png 300w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_1-768x525.png 768w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_1.png 1431w" sizes="(max-width: 1024px) 100vw, 1024px" /></p>&#10;<p>From within the Marketplace blade, you can then select the appropriate image and select the create button to start the deployment journey within the portal or gain further details on deploying the image programmatically. Below is an example showing the start of the deployment of new CIS hardened Windows Server 2016 image.</p>&#10;<p><img class="size-large wp-image-70519 aligncenter" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_2-1024x823.png" alt="" width="1024" height="823" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_2-1024x823.png 1024w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_2-300x241.png 300w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/Accessing-and-Deploying-CIS-Hardened-Images_2-768x617.png 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></p>&#10;<p>The hardened images are configured based on the technical specifications established in the related benchmark. These benchmarks are freely available on the <a href="https://www.cisecurity.org/cis-benchmarks/">CIS website in PDF format</a>.</p>&#10;<p>The CIS benchmarks contain two levels, each with slightly different technical specifications:</p>&#10;<ul>&#10;<li>Level 1 Recommended, minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality</li>&#10;<li>Level 2 Recommended security settings for highly secure environments and could result in some reduced functionality.</li>&#10;</ul>&#10;<p>Prior to deploying one of the CIS hardened images, it is important for the administrator to review the benchmarks specifications and ensure it conforms to the companys policy, procedures, and standards and perform sufficient testing before deploying to a production environment.</p>&#10;<p>CIS is working to release additional, hardened images, so check the <a href="https://azuremarketplace.microsoft.com/marketplace">Azure Marketplace</a> for new updates.</p>&#10;]]></content:encoded> </item> <item> <title>What am I missing? How to see the users you’re denied from seeing</title> <link>https://cloudblogs.microsoft.com/microsoftsecure/2017/10/11/what-am-i-missing-how-to-see-the-users-youre-denied-from-seeing/</link> <pubDate>Wed, 11 Oct 2017 20:00:54 +0000</pubDate> <dc:creator><![CDATA[Microsoft Secure Blog Staff]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://cloudblogs.microsoft.com/microsoftsecure/?p=70474</guid> <description><![CDATA[This blog post is authored by Michael Dubinsky, Principal PM Manager, Microsoft ATA / Azure ATP. Recently Andy (@_wald0) and Will (@harmj0y), who are amazing contributors to the security community, have published the whitepaperAn ACE Up the Sleeve: Designing Active Directory DACL Backdoors. In this whitepaper they discuss different methods which can be used by <p><a class="read-more" title="What am I missing? How to see the users youre denied from seeing" aria-label="Read more about What am I missing? How to see the users youre denied from seeing" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/10/11/what-am-i-missing-how-to-see-the-users-youre-denied-from-seeing/">Read more</a></p>]]></description> <content:encoded><![CDATA[<p><em>This blog post is authored by <a href="https://twitter.com/MichaelDubinsky">Michael Dubinsky</a>, Principal PM Manager, Microsoft ATA / Azure ATP.</em></p>&#10;<p><img class="aligncenter wp-image-70507" src="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/EMS_business-scenario-insights-1-1024x713.jpg" alt="" width="824" height="574" srcset="https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/EMS_business-scenario-insights-1-1024x713.jpg 1024w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/EMS_business-scenario-insights-1-300x209.jpg 300w, https://cloudblogs.microsoft.com/microsoftsecure/wp-content/uploads/sites/13/2017/10/EMS_business-scenario-insights-1-768x535.jpg 768w" sizes="(max-width: 824px) 100vw, 824px" /></p>&#10;<p>Recently Andy (<a href="https://twitter.com/_wald0">@_wald0</a>) and Will (<a href="https://twitter.com/harmj0y">@harmj0y</a>), who are amazing contributors to the security community, have published the whitepaper<em><a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf">An ACE Up the Sleeve: Designing Active Directory DACL Backdoors</a></em>.</p>&#10;<p>In this whitepaper they discuss different methods which can be used by attackers to remain persistent and stealthy in the environment to avoid detection.</p>&#10;<p>In general, this is a very important goal for an attacker and is a big part of a successful mission performed either by a nation state or by a hacker group.</p>&#10;<p>Specifically, in the whitepaper Andy and Will mention the option to setup a Deny ACE on an object created by the attacker. This will cause the object in question to become invisible (not be returned in LDAP queries performed to the Active Directory), which causes the object to avoid being seen (and monitored) by any service account used by monitoring solutions.</p>&#10;<p>This does sound like an issue, as denying permissions from a Domain Admin principle (or the <em>Everyone</em> principle for that matter) will cause an object to become invisible. A cool idea indeed.</p>&#10;<p>So, this made me think is there a way we can identify <em><strong>all</strong></em> the objects to which I <strong>dont</strong> have permissions?</p>&#10;<p>Sounds like a tough task, however after going through some of the possible resolution APIs together with the ATA security research team, <a href="https://twitter.com/simakov_marina">Marina</a> has come across this statement for the LsaLookupSIDs:</p>&#10;<p style="padding-left: 30px"><em><a href="https://technet.microsoft.com/en-us/library/ff428139%28v=ws.10%29.aspx#BKMK_LsaLookupSIDs">There is no access check that would require the caller to be able to read the SID or account name to perform the mapping</a>.</em></p>&#10;<p>Now that weve found a method to query a SID and get a result regardless of the ACL we can verify whether the object exists or not.</p>&#10;<p>The next step is to identify whether its a permissions issue. In order to validate whether its a permissions issue or not, we can compare the results of this API with the LDAP query results.</p>&#10;<p>If <em><strong>only</strong></em> the LsaLookupSIDs returns a result while the LDAP query fails this means one thing (after cleaning up several bugs related to SidHistory) <strong>we dont have permissions on the objec</strong>t!</p>&#10;<p>Ive made a small PowerShell script to demonstrate this capability. The script enumerates all RIDs in a specific domain and compares the LDAP result to the LsaLookupSIDs result to see what I am missing.</p>&#10;<p>The script can be found at <a href="https://github.com/michdu/WhatAmIMissing">https://github.com/michdu/WhatAmIMissing</a>.</p>&#10;<p>This should make discovering ACL hidden objects a little bit easier.</p>&#10;]]></content:encoded> </item> </channel> </rss>